Forum Discussion
Domain authentication issue
Thank you for the advice concerning the FSMO roles, Harm http://@Harm_Veenstra. I moved all roles to the new domain controllers. Can't figure out how to attach the DCDiag log files. DCDiag shows multiple test failures (all three DCs were running):
- Both new DCs (DC2/DC3) fail the DFSREvent test the error "DFS Replication service failed to communicate with partner partner DC1" where DC1 is the original 2012 domain controller.
- Both new DCs (DC2/DC3) fail the Advertising test with the error "SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE"
- Both new DCs fail the NetLogons test with the error "An net use or LsaPolicy operation failed with error 67, The network name cannot be found"
- DC3 fails (not DC2 tho) the LocatorCheck test: "A Primary Domain Controller could not be located" and "The server holding the PDC role is down" (DC2 is the PDC now)
- Original DC1 fails the DFSREvent test: "The DFS Replication service stopped replication on volume C:"
- DC1 fails the SystemLog test: "(KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket"
- DC1 fails the LocatorCheck test: "A Primary Domain Controller could not be located" and "The server holding the PDC role is down"
Could you do this on the new DC's?
Net stop netlogon
Net start netlogon
Ipconfig /registerdns
And check system log for errors
- Ok, no SYSVOL is something that will prevent a DC from advertising itself.. Hope this will get things running!
- The next step is to resolve the failed test NetLogons. From DCDiag output:
Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\DC2\netlogon)
[DC2] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... DC2 failed test NetLogons My new DCs now pass the Advertising test. They did not have SYSVOL shares. I followed the instructions at the link below to set a registry entry to generate the missing shares.
https://social.technet.microsoft.com/Forums/en-US/3d76a999-cfdc-4eff-b2ab-2fb697e8d7ee/2016-sysvol-and-netlogon-shares-missing-from-new-domain-controllers-added-to-2012-and-below?forum=ws2016
- I think the next issue to resolve is the advertising test failure. From DCdiag output:
Starting test: Advertising
Warning: DsGetDcName returned information for \\DC1.<domain>, when we were trying to reach
DC2.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... DC2 failed test Advertising - Yes, DC1 is still online. All 3 of the DCs show the same output from netdom query fsmo.
- Ok, but DC1 is still there.. You did move all the FSMO roles, all domain controllers do see this change? If you run "netdom query fsmo" on all DC's indivually, they do see the same output?
- No time differences between the DCs.
The GC reference is shown in the DCdiag output:
Starting test: LocatorCheck
GC Name: \\DC1.<domain> - Timeserver should he configured to a domain controller which syncs it time to the internet or a hardware ntp. Are there time differences on the domain controllers?
Could you post a screenshot of the GC reference? I did restart the netlogon services from the command prompt and then executed ipconfig /registerdns. The only error is from DC3: "A Primary Domain Controller could not be located". DC2/DC3 have 127.0.0.1 as the primary DNS and each other as the secondary DNS. They both are patched to April '22. Both also reference DC1 as the GC name and time server, which shouldn't be the case I think. They should reference themselves as the GC name and time server, correct?
- You did herstart the netlogon service from a command prompt and did the ipconfig /registerdns? No errors in the eventlog about that? Both DC's have their own ip as primary dns and the other DC as the secondary? Are the new DC's patched (Windows Update) to last month? The KDC error is also something that could be coming from patches from last year November
I'm sorry, Harm, by "ancient history" I meant that I thought that primary domain controllers no longer existed because there is no UI to configure PDCs. Our DC1 has been our PDC and only DC for the past 9 years.
System Log info from DC2 (now the PDC):
- (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket.
- The Key Distribution Center (KDC) encountered a ticket-granting-ticket (TGT) from another KDC (FORTECHDC1) that did not contain a PAC attributes field.
System log info from DC3:
- Netlogon source: The primary Domain Controller for this domain could not be located.